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DETAILED ACTION 
Claim Rejections - 35 USC §103 

1. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 1-4, 1 1-12, 15-16, 20-22, 25-33, 36-43, 46-54 are rejected under 35 
U.S.C. 103(a) as being unpatentable over BRP publications in view of Reshef et al(6,584, 
569). 

3. As per claim 1, BRP publications teaches a method for protecting an application 
from executing an illegal or harmful operation request received from a distrusted 
environment, BRP teaches this, because BRP teaches that Appshield, protects the 
integrity of an e-commerce application by making it nearly impossible for hackers to use 
traditional security loopholes, either in the application code or web servers(see lines 27- 
29). Also, BRP publications teaches determining whether said operation request is illegal 
or harmful to an environment of said application, and preventing an application from 
executing an illegal or harmful operation request, because Appshield rejects unexpected, 
illegal inputs, generating an error page for the user and notifying the management(see 
lines 30-33). BRP does not disclose designating an application path of an application as 
restricted. Reshef discloses designating an application path of an application as restricted 
(see col. 3, lines 60-67). It would have been obvious to one of ordinary skill in the art at 
the time of the invention to include the application path of the application restricted with 
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BRP publications, the motivation is that the detection phase searches for application path 
parameters in order to check for a vulnerability (see col. 3, lines 60-67). 

4. As per claim 2, BRP publications discloses wherein the illegal and harmful 
operation request causes damage, because Appshield is designed to protect applications 
from illegal operations(see lines 27-3 1). BRP publications teaches that these illegal 
operations are performed by hackers(see lines 27-3 1). Also, BRP publications teaches 
that hackers threaten the effectiveness of Internet transactions (see lines 1-5). BRP 
teaches that a hacker could fraudulently change the prices on a particular item online and 
purchase it at that price, he could tape into secret medical records; or access private 
passwords to log on to information on a site(see lines 6-11). The Examiner asserts that 
these are all illegal and harmful operations that cause damage. 

5. As per claim 3, BRP publications teaches wherein said illegal and harmful 
operation request is database manipulation, because BRP teaches that an hacker could 
access private passwords to log on to a particular site(see lines 7-9). 

6. As per claim 4, BRP publications teaches wherein said step of preventing includes 
the step of rejecting said illegal or harmful operation request, Appshield prevents illegal 
or harmful operation request, by rejecting them, because BRP publications teaches 
Appshield rejects unexpected, illegal inputs(see lines 30-32). 

As per claim 11, BRP publications does teaches the following limitations; however, 
Reshef discloses wherein said step of determining comprises the steps of: comparing said 
operation request against stored known vulnerability patterns to determine a match; and 
blocking said operation request if said match is found(see col. 4, lines 9-32, col 8, lines 
36-51). It would be obvious to one of ordinary skill in the art at the time of the invention 
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to include comparing the operation request against stored known vulnerability patterns 
and blocking, the motivation is that application level vulnerabilities have traditionally 
been discovered and reviewed by developers; who have to review the application line-by- 
line and understand the code to try to imagine or anticipate potential security 
loopholes(see col. 1, lines 62-67, col. 2, lines 1-13 of Reshef). Developers lack the 
expertise and knowledge to evaluate security flaws, and applications are constantly 
changing. Therefore, Reshef discloses a scanner that detects security vulnerabilities in 
applications, and stores the vulnerabilities and updates(see col. 4, lines 9-32). 
As per claim 12, BRP publications does not teach the following limitations; however, 
Reshef discloses the step of: updating said stored vulnerability patterns with newly found 
vulnerability patterns(see col. 8, lines 36-46). It would be obvious to one of ordinary 
skill in the art at the time of the invention to include updating the stored vulnerability 
patterns with newly found vulnerability patterns of Reshef with BRP publications, the 
motivation is that application level vulnerabilities have traditionally been discovered and 
reviewed by developers; who have to review the application line-by-line and understand 
the code to try to imagine or anticipate potential security loopholes(see col. 1, lines 62- 
67, col. 2, lines 1-13 of Reshef). Developers lack the expertise and knowledge to 
evaluate security flaws, and applications are constantly changing. Therefore, Reshef 
discloses a scanner that detects security vulnerabilities in applications, and stores the 
vulnerabilities and updates(see col. 4, lines 9-32 Reshef). 

7. As per claim 15, BRP publications does not teach the following limitations; 
however, Reshef discloses dividing said operation request into four zones(see col. 8, lines 
1-7); comparing each of said four zones against stored known vulnerability patterns to 
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determine a match; and blocking said operation request if said match is found(see col. 6, 
lines 1-12, col. 9, lines 32-53). It would have been obvious to one of ordinary skill in the 
art at the time of the invention to include the four zones of Reshef with BRP publications; 
the motivation is that these four zones of Reshef are used to detect hacking of 
applications (see col. 3, lines 60-67, col. 4, lines 1-8, col. 7, lines 51-67). 

8. As per claim 16, BRP publications does not teach the following limitations; 
however, Reshef discloses wherein said four zones represent a URI, query string, header, 
and body associated with said operation request(see col. 6, lines 1-12, col. 8, lines 1-7, 
col. 9, lines 32-53). It would have been obvious to one of ordinary skill in the art at the 
time of the invention to include the four zones of Reshef with BRP publications, the 
motivation is that these four zones of Reshef are used to detect hacking of 
applications(see col. 3, lines 60-67, col. 4, lines 1-8, col. 7, lines 51-67). 

9. As per claim 20, BRP publications does not teach designating an application path 
of the application restricted; determining a destination of the operation request; and 
blocking the operation request if the destination is equal to designated path, Reshef 
discloses designating an application path of the application restricted; determining a 
destination of the operation request; and blocking the operation request if the destination 
is equal to designated path(see col. 8, lines 61-67, col. 9, lines 1-3, 31-53). It would have 
been obvious to one of ordinary skill in the art at the time of the invention to include the 
application path of the application restricted with BRP publications, the motivation is that 
the detection phase searches for application path parameters in order to check for a 
vulnerability (see col. 3, lines 60-67). 
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10. As per claim 21, BRP publications does not teach the following limitations; 
however, Reshef discloses compiling a list of acceptable operation requests; and 
comparing said operation request to said list of acceptable operation requests(see col. 4, 
lines 15-19, col. 8, lines 36-51). It would have been obvious to one of ordinary skill in 
the art at the time of the invention to include a compiling list of acceptable operations 
request from Reshef with BRP publications, the motivation is that the scanner of Reshef 
includes predefined rules which are used to create http requests based on vulnerabilities 
with platforms that can be employed at the web application (see col. 4, lines 8-19 of 
Reshef). 

11. As per claim 22, BRP publications is silent on the following limitations; however, 
Reshef discloses determining a parameter value contained within said operation 
request(see col. 3, lines 44-54); and applying a pre-defined rule to said parameter based 
on said parameter type, wherein said pre-defined rule defines one or more acceptable 
parameter values(see col. 3, lines 60-67, col. 4, lines 1-19). It would have been obvious 
to one of ordinary skill in the art at the time of the invention to include determining a 
parameter value contained within the operation request of Reshef with BRP publications, 
the motivation is that the scanner can dynamically traverse the web application to 
examine the attributes of the path and data parameters for hackers modifying input 
fields(see col. 3, lines 44-66). 

12. As per claim 25, BRP publications does not teach the following limitations; 
however, Reshef discloses storing said plurality of operation requests into a virtual 
directory(see col. 8, lines 13-20); building a dynamic range of entered values for each 
parameter in said plurality of operation requests(see col. 8, lines 61-67, col. 9, lines 1-3, 
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col. 10, lines 1-20); computing an acceptable range of values for each parameter based on 
a statistical model applied to said dynamic range of entered values for each value(see col. 
10, lines 1-35, 56-60); receiving a subsequent operation request; identifying parameter 
values in said subsequent operation request; and determining if said parameter values in 
said subsequent operation request are within said acceptable range of values(see col. 8, 
lines 61-67, col. 9, lines 1-3). It would have been obvious to one of ordinary skill in the 
art at the time of the invention, to include adding parameter values in subsequent 
operation request to dynamic range, the motivation is that the mutated requests can be 
initiated during the attack stage to evaluate the real threat that the potential vulnerabilities 
pose(see col. 10, lines 40-48 of Reshef et al.). 

13. As per claim 26, BRP publications does not teach including the steps of: adding 
said parameter values in subsequent operation request to dynamic range; adjusting said 
acceptable range of values for each parameter by applying said statistical model. 
However, Reshef et al. discloses adding said parameter values in subsequent operation 
request to dynamic range; adjusting said acceptable range of values for each parameter by 
applying said statistical model(see col. 9, lines 60-67, col. 10, lines 1-48). It would have 
been obvious to one of ordinary skill in the art at the time of the invention, to include 
adding parameter values in subsequent operation request to dynamic range, the 
motivation is that the mutated requests can be initiated during the attack stage to evaluate 
the real threat that the potential vulnerabilities pose(see col. 10, lines 40-48 of Reshef et 
al.). 

14. As per claim 27, BRP publications does not teach the following limitations below; 
however, Reshef et al. discloses receiving one or more operation requests; formatting 
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each operation request into a formatted message according to designated protocol, 
wherein the designation communication protocol is determined by the type of application 
being requested; indexing the one or more formatted messages(see col. 3, lines 44-58); 
translating the formatted messages into internal messages according to an encoding 
scheme, resolving a destination node for each operation request; storing a copy of the 
indexed one or more formatted messages(see col. 3, lines 60-67, col. 4, lines 1-8); 
applying one or more pipes to each operation request, wherein the number and types of 
pipes applied to each operation request are based on said resolved destination node of 
each operation request(see col. 4, lines 1-30). It would have been obvious to one of 
ordinary skill in the art at the time of the invention to combine BRP with Reshef, both 
teaches protecting an application from hackers, the motivation to protect application from 
hackers is that a hacker can alter a parameter in an http request, and freeze the application 
(see col. 4, lines 1-8). 

15. As per claim 28, BRP publications teaches wherein the designated 
communications protocol is http(see lines 22-31). 

16. As per claim 29, BRP publications inherently teaches wherein said encoding 
scheme is ASCII, because BRP publications teaches http application protocol(see lines 
22-31), http uses ASCII. 

17. As per claim 30, it is rejected under the same basis as claim 9. Further, the 
application of the pipe of Reshef is the scanner(see col 44-53). 

18. As per claim 3 1, it is rejected under the same basis as claim 10. 

19. As per claim 32, it is rejected under the same basis as claim 1 1 . 

20. As per claim 33, it is rejected under the same basis as claim 12. 
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21 . As per claim 48, BRP publications teaches a system for implement an application 
layer security layer between a trusted application and a distrusted computer environments 
including means for receiving an operation request for the application (see lines 16-19); 
means for embedding the operation request into a data format used by the trusted 
application (see lines 30-33), and means for checking a contents of the operation requests 
to identify if the operation request is illegal or harmful to an environment of the 
application(see lines 27-29). BRP publications does not disclose illegal or harmful to an 
environment of the application that consists of uniform resource identifier. However, 
Reshef et al. discloses wherein the illegal or harmful request consists of uniform resource 
identifier (see col. 6, lines 1-12, 49-56). It would have been obvious to one of ordinary 
skill in the art at the time of the invention to include the uniform resource identifier, the 
motivation is that online theft is one vulnerability that a hacker can change the purchase 
price by changing the value of the parameter in the http request, thus by checking a 
uniform resource identifier online theft can be prevented (see col. 7, lines 51-67). 

22. As per claim 49, BRP publications teaches wherein said data.format is selected 
from HTTP(see lines 22-31). 

23. As per claim 50, BRP publications inherently discloses wherein said receiving 
means is a queued socket server, because BRP publications teaches that e-commerce 
applications are protected from hackers, e-commerce use socket server to protect data(see 
lines 22-29). 

24. As per claim 54,. BRP publications teaches means for providing a firewall, is 
inherent in BRP, because BRP teaches that Appshield teaches a policy recognition 
engine(see lines 22-24). Also, BRP publications teaches that Appshield recognizes the 
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intended application security policy by analyzing each outbound hypertext markup 
language page, and enforces compliance with the policy for each incoming 
application(see lines 22-26). 

25. As per claim 36, it is rejected under the same basis as claim 15. 

26. As per claim 37, it is rejected under the same basis as claim 16. 

27. As per claim 38, it is rejected under the same basis as claim 17. 

28. As per claim 39, it is rejected under the same basis as claim 18. 

29. As per claim 40, it is rejected under the same basis as claim 19. 

30. As per claim 41, it is rejected under the same basis as claim 20. 

3 1 . As per claim 42, it is rejected under the same basis as claim 2 1 . 

32. As per claim 43, it is rejected under the same basis as claim 22. 

33. As per claim 46, it is rejected under the same basis as claim 25. 

34. As per claim 47, it is rejected under the same basis as claim 26. 

35. As per claim 51 , limitations have already been addressed (see claim 27). 

36. As per claim 52, it is rejected under the same basis as claim 49. 

37. As per claim 53, it is rejected under the same basis as claim 29. 

38. As per claims 5-10, 17-19 are allowable, because prior art nor non-patent 
literature disclose or teach, modifying the illegal or harmful operation into a legal or 
harmless operation, because the prior art discloses that when an illegal or harmful 
operation is detected it is analyzed and logged, does not disclose modifying the operation 
to a legal request. 

39. As per claims 13-14, are allowable. Claims 34-35 are objected to, because base 
claims rejected. Claims are allowable because of computing a hash value for every 
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consecutive specified number of character in the operation request, and comparing every 
has value to stored hash values. Prior art nor non-patent literature discloses computing 
hash values for a number of characters, the prior art discloses looking for parameters and 
checking for tampering of the application, not computing a hash value for the characters. 

40. As per claims 23-24 are allowable. Claims 44-45 are objected to, because base 
claims rejected. Claims are allowable because of decrypting values in the cookie 
message header and modifying the operation request to reflect the decrypted values. 
Prior art fails to disclose these limitations. An example of prior art that does not disclose 
these is Reshef Reshef discloses cookie values are checked to see if they have been 
manipulated. Non-patent literature teaches cookie poisoning, which a hacker can take on 
another's identity online. However, prior art fails to disclose the limitations above. 

Response to Amendment 

41 . The Applicant states that the reasons to combine BRP and Reshef are improper. 

42. The Examiner disagrees with the Applicant. Applicant's arguments filed 
1/1 1/2005 have been fully considered but they are not persuasive. In response to 
applicant's argument that there is no suggestion to combine the references, the examiner 
recognizes that obviousness can only be established by combining or modifying the 
teachings of the prior art to produce the claimed invention where there is some teaching, 
suggestion, or motivation to do so found either in the references themselves or in the 
knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 
F.2d 1071, 5 USPQ2d 1596 (Fed Cir. 1988)and/« re Jones, 958 F.2d347, 21 
USPQ2d 1941 (Fed. Cir. 1992). In this case, BRP does not disclose designating an 
application path of an application as restricted; however, Reshef discloses designating an 
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application path of an application as restricted. . It would have been obvious to one of 
ordinary skill in the art at the time of the invention to include the application path of the 
application restricted with BRP publications, the motivation is that the detection phase 
searches for application path parameters in order to check for a vulnerability (see col. 3, 
lines 60-67). 

43. The Applicant states that Reshef et al. does not disclose designating an 
application of an application as restricted. The Examiner disagrees with the Applicant. 
Reshef discloses a detection phase, the detection phase searches through the application 
interface structure, and using a set of detection rules identifies application level messages 
that may be potentially vulnerable (see col. 3, lines 60-67). 

44. The Applicant states that Reshef does not disclose pipes. The Examiner disagrees 
with the Applicant. The parameters of Reshef are pipes(see col. 4, lines 1-30). If the 
Applicant wishes to claim a more specific limitation regarding types of pipes the 
Applicant is urged to do so. There is not claimed a learning pipe; therefore, this is moot. 

45. The Applicant states that BRP nor Reshef disclose dividing the operation request 
into four zones comparing each of the four zones against stored known vulnerability 
patterns to determine a match. The Examiner disagrees with the Applicant. Reshef 
discloses four zones that include, html forms, query parameters, http headers, and cookie 
values, the scanner of Reshef detects these four zones(see col. 8, lines 1-9). 

46. The Applicant states that BRP nor Reshef discloses computing an acceptable 
range of values for each parameter based on a statistical model applied to the dynamic 
range of entered values for each value. . . . The Examiner disagrees with the Applicant. 
Reshef discloses computing an acceptable range of values for each parameter based on a 
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statistical model applied to the dynamic range of entered values for each value.. .., 
because the scanner sends the mutated requests to the site and ranks the attack results by 
severity and success ratings(see col. 4, lines 20-24). The operator may define the types of 
attacks to execute and perform then automatically or manually(see col. 4, lines 23-25). 
The scanner of Reshef discloses a report that recommends fixes(see col. 4, lines 27-30). 

Final Action, Necessitated by Amendment 
47. Applicant's submission of the requirements for the joint research agreement prior 
art exclusion under 35 U.S.C. 103(c) on 1/1 1/2005 prompted the new ground(s) of 
rejection under 37 CFR 1 . 109(b) presented in this Office action. Accordingly, THIS 
ACTION IS MADE FINAL. See MPEP § 706.02(1)(3). Applicant is reminded of the 
extension of time policy as set forth in 37 CFR 1. 136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of the 
advisory action. In no event, however, will the statutory period for reply expire later than 
SIX MONTHS from the mailing date of this final action. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jenise E. Jackson whose telephone number is (571) 272- 
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3791. The examiner can normally be reached on M-Th (6:00 a.m - 3:30 p.m.) alternate 
Friday's. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). 




April 29, 2005 



AYAZ SHEIKH 
SUPERVISORY PATENT EXAMINER 
^HNOLOGY CENTER 



